| VID |
21717 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The F-Secure Policy Manager Server is vulnerable to a path disclosure vulnerability via the CGI '/fsms/fsmsh.dll'. F-Secure Policy Manager allows administrators to install, configure, update and monitor all F-Secure Anti-virus and security solutions from a single system. The Management Agent in F-Secure Policy Manager version 5.61 and earlier versions could allow a remote attacker to obtain sensitive information, such as the absolute path for the web server, via an HTTP request to the file '/fsms/fsmsh.dll' without any parameters. This information might help a remote attacker to launch further attacks against the affected system.
* References:
http://support.f-secure.com/enu/corporate/supportissue/pm/faq.shtml#2004121500
http://secunia.com/advisories/13416/
http://www.securityfocus.com/archive/1/383948
http://www.oliverkarow.de/research/f-secure.txt
* Platforms Affected:
F-Secure Policy Manager version 5.61 and earlier versions
Microsoft Windows Any version
Linux Any version |
| Recommendation |
Upgrade to the latest version of F-Secure Policy Manager (greater than 5.61), available from the Web site for F-Secure Policy Manager at http://www.f-secure.com/webclub/policy-man/eng/index.shtml |
| Related URL |
CVE-2004-1223 (CVE) |
| Related URL |
11869 (SecurityFocus) |
| Related URL |
18413 (ISS) |
|
